NFT Security in Blockchain | QuillAudits

6 min readDec 18, 2022

There have been several instances of NFT hacks and exploits in the past, and it is important for users of NFTs to be aware of these risks and take steps to protect their assets. This blog covers what is NFT, How does NFTs function, vulnerabilities in the NFT ecosystem, and how can we secure our NFTs.

What is NFT?

An NFT or Non-fungible token (ERC721) is a digital asset representing real-world objects like art, music, in-game items, and videos. We store NFTs in publicly accessible Ethereum or any other blockchains. NFTs cannot be traded or exchanged equivalently compared to other ERC20 tokens, and the tokens are unique.

Functioning of NFT Ecosystem:

The ownership of an NFT is recorded in the blockchain and can be transferred by the owner, allowing NFTs to be sold and traded. The entire ecosystem is first initiated by creators.
They create digital assets like art, images, videos, etc. The makers create digital content and upload it to hosting services so that the art is available publicly. When they mint or create an NFT, they execute code stored in smart contracts that conform to different standards, such as ERC-721. This information is added to the blockchain where the NFT is being managed.

Source: Understanding Security Issues in the NFT Ecosystem

Then, sellers and buyers will auction and trade their NFTs on the NFT platform. After the buyer signs the transaction, the platform will write the transaction record into the blockchain, including the transfer of the amount and the ownership of the artwork.

NFT Security issues:

1. Smart contract Vulnerabilities: At its core, NFTs are smart contracts, therefore, it is vulnerable to malicious attackers as other smart contracts do, including reentrancy attacks, integer overflow, access control flaws, and so on. The most common bug that NFT smart contracts could have is Access control bugs, reentrancy, etc.

2. Marketplace Vulnerabilities: Vulnerability in NFT Marketplace may posses dangers to the NFTs themselves. It may even lead to NFT theft. Recently, OpenSea was the victim of an attack, during which the attacker was able to purchase NFTs at their old value. Several users were able to purchase precious NFTs at prices that were much lower than the tokens’ market value thanks to this flaw.

3. Storage Problem: If the metadata of NFT is stored offline and if there’s ever a problem with the off-chain network, the link itself will be useless, and the NFT will no longer be available. The centralized off-chain network applications and storage systems are still at risk of traditional DoS attacks, thereby denying services to NFT systems.

4. Social Media Hacks: Recently, Attackers are targeting Social media (Discord/Twitter) accounts of these NFT projects. The attacker commonly uses techniques like phishing, social engineering, bots, etc. to compromise these accounts. After compromising the servers, they can trick users to connect wallets to their Malicious websites to steal NFTs. Check out this blog for more details on it.

5. NFT Scams and Phishing: Typically, phishing is how hackers gain access to your NFT account information. They frequently use email or well-known social media sites and forums like Twitter and Discord to distribute fraudulent URLs for this purpose. Once you click the link and submit your information, hackers can access your account and compromise it via keylogging or spyware.

6. Market Manipulation in Trading: There are numerous ways in which the NFT market can be manipulated. Some of the common forms of market manipulations are Wash trading, Pump and Dump Schemes, Celebrity Endorsements, etc. Malicious actors often inflate the price of NFT using the above techniques and dump them for profit. Check out this blog for more info.

7. Private Key / Seed Phrase leak: NFT ownership is managed via a private key that serves as a sentinel to all the assets in a specific digital wallet. If your private key is leaked, Anyone with access to your private key might steal your NFTs from the digital wallet and sell them. Therefore, it’s crucial to store your private key in a safe location.

Check out the comprehensive list of NFT attack vectors for more details on these NFT attacks:
https://github.com/Quillhash/NFT-Attack-Vectors

NFT Hacks Case Studies:

1. Lympo: On 10 January 2022, The sports NFT minting platform Lympo suffered a hack that led to the loss of 165.2 million LMT tokens i.e. $18.7 million at the time of the hack.
The main cause of the attack was the hot wallet's private key leak, which allowed attackers to gain control of NFT and steal it. Read here for more details on the incident.

2. Bored Ape Yacht Club: In April 2022, fraudsters stole tokens from the developers of the Bored Ape Yacht Club collection. The theft was committed by compromising the Instagram account of the developer. A total of 13.7 million worth of NFTs were stolen in the hack.

3. Open Sea NFT marketplace: In February 2022, users of the NFT marketplace OpenSea were the victim of a phishing attack. The attacker managed to steal 1,200 ETH from exploited users which were later sold for $1.7 million. Check out this blog for more details.

How can user keep their NFT safe?

1. Due Diligence: Users should conduct their own Due Diligence before investing in any NFT projects. Usually, Due Diligence involves analyzing the fundamental details like:
1. Project founders’ profiles and backgrounds
2. The project’s Social Media accounts like Twitter, Discord, etc.,
3. Price, Supply, and Rarity of NFT
4. Utility of NFT
5. Check if Project has been audited or not.

2. Trade NFTs in a Reputable and secure marketplace: Security is an essential consideration for many NFT traders, especially given there have already been several high-profile platform hacks. So, try to trade at a reputable and secure NFT marketplace.

3. Never blind-sign NFT transactions: Before confirming the transaction, always examine the permission details in the smart contracts. Many hackers disguise their actions in smart contracts, giving them unauthorized access to funds in your wallet.

4. Only interact with official channels, Twitter accounts, and links: Always restrict your telegram, discord, and email from receiving messages from strangers and unofficial addresses. Use a link-checking website first, which will let you know whether a site is legitimate.

5. Never share your seed phrase or wallet private key with anyone: If you reveal your seed phrase or private keys to anyone, they will have access to your digital assets. Anyone who has access to your private key/seed phrase can steal all of your tokens and NFT.

6. Enable Authentication Methods/ 2FA to prevent Social account hacks: There are lots of scenarios where these NFT projects' social media accounts like Discord and Twitter are hacked, and the hackers use the compromised accounts for their gain. Check out this blog for more details on NFT social media hacks and their prevention methods.

Check out the comprehensive list of NFT attack vectors for more details on these NFT attacks:
https://github.com/Quillhash/NFT-anti-hack-checklist

Further Research:

NFT-attack-vectors
Vul nerabilities and Anomalies in NFT Marketplaces
NFT-anti-hack-checklist
Top NFT Incidents of all time
Understanding Security Issues in the NFT Ecosystem

NFT Projects secured by QuillAudits:

1. Ekta NFT
2. The Gambling Kingdom NFT

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Partner with QuillAudits :

Affiliate program ( Refer and secure web3 )
QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
Join Ambassdor program